| Michael Leone on 7 Aug 2015 06:14:00 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] Setting SFTP restrictions to download only, but only for certain users |
OK, so I will admit that these days, I'm pretty much a Windows and VMware admin, don't do a lot of Linux. I know how I would do it in the other OS, so I would appreciate somebody verifying this, before I turn it loose on my one and only SFTP server .. the concepts should be pretty much the same. I need the users to have a home directory where they have only read-only access, but I - as "SupremeAdmin" user, have read-write access, so I can leave files for the users to download via SFTP. Here's what I am thinking: I will eventually be using my account, "SupremeAdmin" (no, that's not it's real name :-)). I create a structure called "/Project". I verify that group rights are RW (the group being my "SupremeAdmin" group). So now this directory structure is RW for me, alone. I create new users, specifying their home directory as "/Project/<user>". I do *not* add the user to my "SupremeAdmin" group. I then remove their write access to their home directory (chmod u-w). How do I get my group "SupremeAdmin" to have RW rights into "/Project/<user>"? When I create "/Project/<user>", won't the group attached to that directory be the group the user is in? Will that do it? When the users connect via SFTP, they will go right to their home directory "/Project/<user>". They will be able to get there? They won't need R access to :/Project", to be able to access something under "/Project"? As for the rest, I can write a file for the user into their home directory, and they can SFTP in and download it. But they *won't* be able to delete said file, nor create new files (as they don't have W access in that directory). What am I missing, so far? ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug